To Catch a Predator: A Natural Language Approach for Eliciting Malicious
Payloads
Sam Small
Johns Hopkins University
Abstract
We present an automated, scalable method for crafting dynamic responses
to real-time network requests. Specifically, we provide a flexible
technique based on natural language processing and string alignment
techniques for intelligently interacting with protocols trained directly
from raw network traffic. We demonstrate the utility of our approach by
creating a low-interaction web-based honeypot capable of luring attacks
from search worms targeting hundreds of different web applications. In
just over two months, we witnessed over 368,000 attacks from more than
5,600 botnets targeting several hundred distinct webapps. The observed
attacks included several exploits detected the same day the
vulnerabilities were publicly disclosed. Our analysis of the payloads of
these attacks reveals the state of the art in search-worm based botnets,
packed with surprisingly modular and diverse functionality.
Biography
Sam Small is a Ph.D. candidate in the Department of Computer Science at
Johns Hopkins University. His research interests include system and
network security, security for resource-constrained devices,
virtualization, and communication networks. Sam holds a B.S. in computer
science from the College of William and Mary, an M.S.E. in computer
science from Johns Hopkins University, and has served in fellowship
programs with the National Institute of Standards and Technology and the
National Science Foundation.